Combating Cyber Attacks With Internal Controls

News media in the U.S. are abuzz with stories about cyber attacks as financial institutions emerge as the prime targets of cyber-criminals. Reports suggest that since September 2012, cyber attacks on bank networks have exploded.

Actually, banking and other financial institutions have always been a top target of hackers. During the past few years, renowned banking organizations across the globe have fallen prey to criminal hacks. Beyond huge financial losses, the victims suffer irreparable damage to their trust and credibility, the hallmarks of financial institutions.

The hackers’ predominant activities include spreading malware infections, siphoning login credentials and denial of service attacks that disrupt service to legitimate users. The traditional security attack channels include viruses, keylogger trojans and cross-site scripting. The trojans monitor keystrokes, log them to a file and send them to remote attackers. Scripting, on the other hand, enables malicious attackers to inject client-side script into Web pages viewed by other users and exploit the information to bypass access controls.

Evolving Attack Patterns

Perimeter security software and traffic analysis solutions help in combating traditional attack vectors. However, hackers are starting to change their modus operandi. Cyber criminals are now siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers and Remote Access Trojans (RATs).

Once the login credential of an employee or an administrative password of a sensitive IT resource is compromised, the institution is vulnerable. The criminal can initiate unauthorized wire transfers, view the transactions of customers, download customer information and/or carry out sabotage.

Another emerging threat is sabotage caused by the insiders at the financial institutions. Disgruntled staff, greedy techies and sacked employees have all been involved in cyber security incidents. Clearly, breaches of trust can occur anywhere, leading to grave consequences.

In internal and external attacks alike, unauthorized access and misuse of privileged passwords — the “keys to the kingdom” — have emerged as the main activities. Administrative passwords, system default accounts and hard-coded credentials in scripts and applications have all become the prime targets of cyber criminals.

Overlooking Privileged Passwords

While internal and external hackers are exploiting administrative passwords with increasing frequency, many financial institutions fail to recognize the importance of this crucial aspect of privileged password management. Passwords of enterprise IT resources are often stored in spreadsheets, text files, homegrown tools, papers or even in physical vaults. Yet these volatile sources are inherently insecure and do little to enhance data security or business reputation.

Passwords are further compromised in IT divisions that deal with thousands of privileged passwords, which are used in a shared environment. This is a standard practice, which leaves a group of administrators to use a common privileged account to access a given resource.

Apart from the “officially shared” passwords, users also tend to reveal administrative passwords to their colleagues, unofficially, for some reason or other. The most common reason for unofficial sharing of a password is to handle an emergency, e.g., an IT manager may reveal the password to a senior member when the manager is on vacation.

Developers, help desk technicians and even third-party vendors may require access to privileged passwords purely on a temporary basis. The passwords are often supplied via email or over the phone, both of which are highly insecure media. Worse, there is no process to revoke access and reset the password after the temporary usage, leaving an even bigger security hole.

Of all the combat measures, bolstering internal controls holds special significance in light of the recent attack trends. Access to IT resources should strictly be based on job roles and responsibilities. But access restrictions alone are not enough and must be supplemented with clear-cut trails that reveal who accessed what and when.

Likewise, password sharing should be regulated, and a well-established workflow should be in place for release of passwords of sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.

One of the effective ways to bolster internal controls is automating the entire lifecycle of privileged access management and systematically enforcing best practices. Privileged password managers replace manual practices and automatically assist with securely storing privileged identities in a central vault, selectively sharing passwords, enforcing policies and above all, restricting access to and establishing total control over privileged identities.

Bolstering internal controls as detailed above will ensure that privileged identities will not be compromised — even if a hacker manages to penetrate the perimeter. Similarly, the threats due to attacks by malicious insiders are greatly mitigated.

Staying Vigilant

Once internal controls have been tightened, financial institutions must remain vigilant and keep an eye on activities going on inside and around them. Logs from critical systems carry vital information that could prove effective in preventing security incidents. For instance, monitoring activities like user logons, failed logins, password access, password changes, attempts to delete records and other suspicious activities could help identify hacking attempts, malicious attacks, DoS attacks, policy violations and other incidents.

Of course, not all security incidents can be prevented or avoided. Nor can privileged password management thwart all cyber security incidents. However, too many security incidents occur as a result of lax internal controls — poor password management, in particular — and those violations can certainly be prevented. It’s time for IT organizations to take the bull’s eye off of the financial community networks and data and enforce some enterprise-class password protection.

Bala Venkatramani is marketing manager for Password Manager Pro at ManageEngine, part of Zoho Corp. in Chennai, India, and Pleasanton, Calif.